July 1st was a big day in Florida if you’re a follower of info security news. That was the day Florida’s new Florida Information Protection Act (FIPA) came into effect and had immediate consequences for anyone that does business in Florida, has employees there or has customers that reside there.
There’s some decent analysis by a number of different law firms online but let’s take a look at what some of the highlights within FIPA are:
- There are two types of records that must received increased protection: Personal Information and Customer Records
- The definition of personal information is very broad, but includes anything ranging from Social Security numbers to driver’s ID, financial information and more.
- For customer records, it is any personal information that’s collected for purchasing, leasing or obtaining a product or service
- Notification requirements are also in place and companies have to follow them in the event of a breach. Depending on the situation and scale of the data breach, the Florida Department of Legal Affairs must be notified within 30 days of the breach if it affects 500 or more individuals.
- Written notice of the breach must include:
- A synopsis of the events surrounding the breach
- Number of individuals in Florida affected
- Services offered without charge and instructions on how to use them
- A copy of the notice sent to consumers affected
- Contact information for people to call with questions
These are just some of the items covered and we encourage readers in Florida to check out all the details, especially if you have employee and customer information that needs to be properly protected as a result of the introduction of this legislation.
But in digging deeper, there are a couple of things that really popped out at us:
- Organizations will also have to file a police, incident or computer forensics report of the incident and include a copy of the policies they have in place about security breaches and what they’ll do to rectify the breach. This is a public disclosure of how an organization protects their information. If there’s no policy in place, there could be some serious repercussions for the organization if enough steps weren’t taken to secure information in the first place.
- It’s not just the organization that’s on the hook for keep information properly secure. If there are 3rd party vendors that have access to company information and they’re the source of the leak, they’re mandated to comply with the disclosure rules. And the primary company is just as culpable and responsible for the disclosure. Net-net – if your 3rd party vendor or supplier loses your customer data, you’re just as at fault as that vendor for not ensuring they were following the same policies your organization should be following.
The last part about this new law that reinforces the fact businesses in Florida should take it seriously? It has teeth. “The penalty for not abiding by these rules is $1,000 each day for the first 30 days following any violation of the notice requirements, and $50,000 for each subsequent 30-day period or portion thereof up to 180 days. The maximum penalty for violation of this Act is $500,000.”
If you’re a business based in Florida, or an organization that does business in Florida and store customer data, it’s now more important than ever that you implement security policies to protect that data in the event of a breach.
As always, from WinMagic’s perspective, the strongest foundation for any security solution should always start with encryption. This is the best option for most companies regarding this new law because any information that is encrypted or secured properly is exempt from the disclosure laws. The rationale is that the information is useless without the proper tools or keys to decrypt.